I'm taking a couple weeks off before the busiest part of Microsoft's 2012 kicks into full gear. But never fear: The Microsoft watching will go on while I'm gone. I've asked a few illustrious members of the worldwide Microsoft community to share their insights via guest posts on a variety of topics -- from Windows Phone, to Hyper-V. Today's entry is all about a new administrative feature in Windows 8 is authored by Alan Burchill.
As most IT administrators know, group policy is the feature in Windows that allows you to configured large number of windows computer easily and automatically. These configuration settings are stored in Active Directory (AD) for the workstation to then poll on a periodic basis for any configuration changes. This polling typically take 90 minutes (with some random offset), meaning that any configuration changes that an IT admin makes takes up to 2 hours or more to take effect.
One of the great new features that Microsoft has added to Windows 8 is now the ability to force a group policy update to run. This new feature called “Group Policy Update” can effectively give admins the way to push out configuration changes to all the computers online in less than 10 minutes. This is of course very handy if you want to quickly push out a quick policy change or quickly undo a setting that you might have configured by mistake.
To initiate this Group Policy Update all an administrator has to do is right click on any of the Organization Unit’s (OU) in AD and click the “Group Policy Update...” option. (See image below.)
After following the Group Policy Update wizard it then establishes a connection with every computer in that OU and creates a schedule task to run “gpupdate.exe /force” for both the computer and any user’s currently logged on. (See image below.)
Any computers that are shutdown or disconnected when this happens are not affected, as the wizard cannot reach them. However in this case a policy update is triggered automatically when they are next turned on or connect to the corporate LAN.
One very important note about this feature is that admins will need to open up some holes in the client firewall to allow this incoming connection to make the schedule task. This can, of course, also be done via group policy. However, admins will need to allow for the standard 90 minutes (give or take) for this to take effect in advanced.
The required firewall rules that need to be enabled on the client are:
Remote Scheduled Tasks Management (RPC)
Remote Scheduled Tasks Management (RPC-EPMAP)
Windows Management Instrumentation (WMI-IN)
As is true with almost everything else in Windows 8, PowerShell prevails; admins also run the same Group Policy Update using it. The necessary command is called “Invoke-GPUpdate” and it provides a little more power such as targeting a single computer or scheduling it to run straight away instead of waiting the standard 10 minutes.
With anything to do with group policy, Spiderman administrators have great power and this means you must take great caution before making any changes in your environment -- so keep in mind if the changes you are making to the computers cause a lot of load then you could very easily bring your network to a grinding halt. This is why Microsoft only allows admins to perform a group policy update on an OU and not the entire domain. However, it has been tested on over 10,000 computers at once with a single (presumably very powerful) domain controller, so it is pretty safe if all you are updating is a shortcut or something along those lines.
While this feature should not be used in day to day operation it is certainly nice know it exist out of the box in case you need to quickly make a policy change.